Privacy commission sets eyes on data aggregators again amid text scams

The National Privacy Commission (NPC) is investigating data aggregators once more for their supposed part in the continued proliferation of text scams, almost three weeks after the government agency downplayed the role of these data firms in the sham.

NPC Deputy Commissioner Leandro Angelo Y. Aguirre said in an interview with DZMM radio over the weekend that scammers have changed their methods to fool people into giving them sensitive personal details.

“There are now sender IDs again that are, for example, pretending your bank account has been compromised, saying to click this link. SIM (subscriber identification module) cards are not used in these instances. It looks like data aggregators were used,” the NPC official said in mixed English and Filipino.

Sought for comment if this would make it harder for authorities to trace these swindlers, Aguirre said otherwise, reasoning that it was actually more difficult for them to catch those who were using pre-paid SIM cards to send scam text messages.

“These aggregators, we can go to them directly, find out who their clients are, and determine which one of their clients sent the message,” he said further in Filipino.

Liability of aggregators

Asked if data aggregators will automatically be held liable for these privacy intrusions, the NPC official said no, explaining that the blame may lie instead with the client firms whose accounts could have been hacked.

“It’s possible that the official account of ‘XYZ’ company was compromised in using the platform of the data aggregator,” he said.

The NPC official said their investigation had branched to two fronts – continuing the investigation on the recent spate of personalized text scams while now looking simultaneously at this relatively new method of scamming mobile phone users.

In a message sent to the Inquirer on Sunday, former privacy commissioner Raymund E. Liboro, who is also the founder of the think tank ‘Privacy and Security by Design,’ said the inclusion of data aggregators in the NPC’s investigation was “better late than never.”

“This is how SMS fraud is happening behind legitimate data aggregators. Some are now using SIM farms that do SMS casting,” said Liboro.

Back in September, the NPC downplayed the possible role of data aggregators in the widely-reported cases of smishing messages, noting that such text scams were being sent through personal SIM cards instead of application-to-phone (A2P) messaging.

“Smishing” is the criminal act of sending text messages to induce individuals to reveal personal information, such as passwords or credit card numbers, or to download malicious programs, such as ransomware.

This is despite Globe Telecoms Inc. reporting to the NPC back in November of 2021 that data broker Macrokiosk, a firm allegedly tapped by China Skyline Telecom, was the primary source of messages that “share the theme of job hiring and contain a Whatsapp contact link.”

This data broker was tagged as one of the responsible firms in either calling or texting millions of Filipinos that offered either jobs or investment schemes.